[jira] [Commented] (TIKA-4590) Implement Reproducible Builds for Apache Tika

Sun, 04 Jan 2026 01:08:11 -0800 


    [ 
https://issues.apache.org/jira/browse/TIKA-4590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18048932#comment-18048932
 ] 

Hervé Boutemy commented on TIKA-4590:
-------------------------------------

one key aspect of Reproducible Builds is that anybody can rebuild the releases 
(with proper instructions and environment prerequisites) and get the same 
binaries as the reference binaries published by the release manager during the 
release process

> Implement Reproducible Builds for Apache Tika
> ---------------------------------------------
>
>                 Key: TIKA-4590
>                 URL: https://issues.apache.org/jira/browse/TIKA-4590
>             Project: Tika
>          Issue Type: Task
>            Reporter: Nicholas DiPiazza
>            Priority: Major
>              Labels: build, reproducible-builds, security
>
> h2. Problem
> Apache Tika builds are currently not reproducible. The Apache Software 
> Foundation Security team requires reproducible builds to ensure build 
> integrity and security.
> h2. Background
> Reproducible builds allow anyone to verify that the published binaries were 
> built from the exact source code without any modifications. This is critical 
> for security and supply chain integrity.
> h2. Requirements
> * Builds must produce bit-for-bit identical outputs when built from the same 
> source code
> * Build timestamps and other non-deterministic elements must be normalized
> * Build environment variations should not affect output
> * Verification documentation should be provided
> h2. Expected Outcome
> * Maven builds configured for reproducibility
> * All artifacts (JARs, source archives) are reproducible
> * Build process documented with verification steps
> * Integration with Apache release process
> h2. References
> * Apache Software Foundation Security requirements
> * [Reproducible Builds Project|https://reproducible-builds.org/]
> * [Maven Reproducible Builds 
> Guide|https://maven.apache.org/guides/mini/guide-reproducible-builds.html]
> h2. Acceptance Criteria
> # Configure maven-artifact-plugin with buildinfo generation
> # Set project.build.outputTimestamp property
> # Verify builds are reproducible across different environments
> # Document the verification process
> # Update release documentation



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to